14 DAY TRIAL // A vicious ransomware-pushing campaign that started in early February has evolved, and the criminals behind it are also using compromised Joomla sites, not just WordPress.
Brad Duncan, security researcher for Rackspace, has come across this new kink in the campaign's mode of operation after he discovered Joomla sites that exhibited the same signs of infection as first spotted by Sucuri researchers at the start of the month.
Campaign evolves and spreads to Joomla
Initially, this campaign caught Sucuri's attention after hackers were accessing WordPres sites through unknown methods and altering their source code.
Websites would show a hidden iframe, which would load malicious code, redirecting users to a Web page hosting the Nuclear exploit kit. Just a day after Sucuri published its discovery, security researchers from Heimdal Security confirmed that the exploit kit was delivering the TeslaCrypt ransomware.
Things seem to have evolved in the past days, and Mr. Duncan is now saying that the people behind this campaign have found a way to breach Joomla sites, and inject their malicious iframe in the JavaScript files of those sites as well.
Additionally, Mr. Duncan is also reporting that while in the beginning webmasters would have been able to spot the malicious code thanks to the "admedia" term used in its URL, this has now changed to "megaadvertize."
Campaign switches from Nuclear EK to Angler EK
Another change in the campaign is the fact that the crooks also dropped the Nuclear exploit kit and are using the Angler variant instead.
As a side note Mr. Duncan also observed something that was very strange, even if not related to the campaign in any way.
"So far, I've only seen TeslaCrypt from this admedia campaign. In fact, I've seen a whole lot of TeslaCrypt lately, with little other ransomware from EK traffic," the researcher notes for the SANS Institute’s Internet Storm Center. "For example, I last saw CryptoWall on 2016-02-05. Since then, I haven't noticed any CryptoWall."
